policycoreutils-3.6-7

- restorecond.service: Use Type=simple Resolves: RHEL-142541
2026-04-07 15:56:34 +02:00 · 2026-04-07 15:56:34 +02:00 · 5219172d69
commit 5219172d69
parent ba01c23cb6
3 changed files with 139 additions and 1 deletions
--- a/0029-restorecond-Add-F-for-run-in-foreground.patch
+++ b/0029-restorecond-Add-F-for-run-in-foreground.patch
@ -0,0 +1,94 @@
+From 7e91c46817f113898d79326cf7b3ba8228894e42 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Thu, 2 Apr 2026 17:17:12 +0200
+Subject: [PATCH] restorecond: Add -F for run in foreground
+Content-type: text/plain
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ restorecond/restorecond.8 |  5 ++++-
+ restorecond/restorecond.c | 13 ++++++++-----
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/restorecond/restorecond.8 b/restorecond/restorecond.8
+index bf8ec87562f8..bb99b24a2d69 100644
+--- a/restorecond/restorecond.8
+++ b/restorecond/restorecond.8
+@@ -3,7 +3,7 @@
+ restorecond \- daemon that watches for file creation and then sets the default SELinux file context
+ 
+ .SH "SYNOPSIS"
+-.B restorecond  [\-d] [-h] [\-f restorecond_file ] [\-u] [\-v]
+.B restorecond  [\-d] [-h] [\-f restorecond_file ] [\-F] [\-u] [\-v]
+ .P
+ 
+ .SH "DESCRIPTION"
+@@ -26,6 +26,9 @@ Print usage statement.
+ .B \-f restorecond_file
+ Use alternative restorecond.conf file.
+ .TP
+.B \-F
+Run in foreground, do not become a daemon.
+.TP
+ .B \-u
+ Turns on user mode.  Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf.  Uses dbus to make sure only one restorecond is running per user session.
+ .TP
+diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
+index d5f70fc2e2c1..36f82ae5e9cb 100644
+--- a/restorecond/restorecond.c
+++ b/restorecond/restorecond.c
+@@ -76,6 +76,7 @@ int debug_mode = 0;
+ int terminate = 0;
+ int master_wd = -1;
+ int run_as_user = 0;
+int foreground_mode = 0;
+ 
+ static void done(void) {
+ 	watch_list_free(master_fd);
+@@ -124,7 +125,7 @@ static void term_handler(int s __attribute__ ((unused)))
+ 
+ static void usage(char *program)
+ {
+-	printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
+	printf("%s [-d] [-f restorecond_file ] [-F] [-n] [-u] [-v] \n", program);
+ }
+ 
+ void exitApp(const char *msg)
+@@ -165,7 +166,7 @@ int main(int argc, char **argv)
+ 	sigaction(SIGTERM, &sa, NULL);
+ 
+ 	atexit( done );
+-	while ((opt = getopt(argc, argv, "hdf:uv")) > 0) {
+	while ((opt = getopt(argc, argv, "hdf:Fuv")) > 0) {
+ 		switch (opt) {
+ 		case 'd':
+ 			debug_mode = 1;
+@@ -173,6 +174,9 @@ int main(int argc, char **argv)
+ 		case 'f':
+ 			watch_file = optarg;
+ 			break;
+		case 'F':
+			foreground_mode = 1;
+			break;
+ 		case 'u':
+ 			run_as_user = 1;
+ 			break;
+@@ -209,13 +213,12 @@ int main(int argc, char **argv)
+ 
+ 	read_config(master_fd, watch_file);
+ 
+-	if (!debug_mode) {
+	if (!debug_mode && !foreground_mode) {
+ 		if (daemon(0, 0) < 0)
+ 			exitApp("daemon");
+		write_pid_file();
+ 	}
+ 
+-	write_pid_file();
+-
+ 	while (watch(master_fd, watch_file) == 0) {
+ 	}
+ 
+-- 
+2.53.0
+
--- a/0030-restorecond.service-Use-Type-simple.patch
+++ b/0030-restorecond.service-Use-Type-simple.patch
@ -0,0 +1,39 @@
+From dd4686ae541637671d1e2c0e8fc2f3605fd6dc4b Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <lautrbach@redhat.com>
+Date: Thu, 2 Apr 2026 17:19:05 +0200
+Subject: [PATCH] restorecond.service: Use Type=simple
+Content-type: text/plain
+
+There's a race condition when daemon() in parent process immediately
+exits while pid file is not created or updated. Using Type=forking it
+can confuse systemd which tries to open non-existing pid file. It's
+better to run restocond in foreground and use Type=simple
+
+Fixes:
+
+    openat(80</run>, "restorecond.pid", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory) <0.000006>
+
+Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
+---
+ restorecond/restorecond.service | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/restorecond/restorecond.service b/restorecond/restorecond.service
+index 0e4ea72d08ae..56f970707d93 100644
+--- a/restorecond/restorecond.service
+++ b/restorecond/restorecond.service
+@@ -5,9 +5,8 @@ ConditionPathExists=/etc/selinux/restorecond.conf
+ ConditionSecurity=selinux
+ 
+ [Service]
+-Type=forking
+-ExecStart=/usr/sbin/restorecond
+-PIDFile=/run/restorecond.pid
+Type=simple
+ExecStart=/usr/sbin/restorecond -F
+ 
+ [Install]
+ WantedBy=multi-user.target
+-- 
+2.53.0
+
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -11,7 +11,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 3.6
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz
@ -64,6 +64,8 @@ Patch0025: 0025-sandbox-seunshare-Replace-system-with-execv-to-preve.patch
 Patch0026: 0026-semanage-improve-e-documentation-and-fix-delete-oper.patch
 Patch0027: 0027-improve-semanage-man-pages-Add-examples-for-r-RANGE-.patch
 Patch0028: 0028-semanage-fcontext-8-improve-e-documentation.patch
+Patch0029: 0029-restorecond-Add-F-for-run-in-foreground.patch
+Patch0030: 0030-restorecond.service-Use-Type-simple.patch
 # Patch list end
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -473,6 +475,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service

 %changelog
+* Tue Apr 07 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.6-7
+- restorecond.service: Use Type=simple
+
 * Tue Feb 24 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.6-6
 - Improve semanage-fcontext(8) man page